[ZDP] BackTalk to Document The Zope Book (2.5 Edition)/Users and Security

webmaster@zope.org webmaster@zope.org
Tue, 15 Oct 2002 06:10:02 -0400

A comment to the paragraph below was recently added via http://www.zope.org/Documentation/Books/ZopeBook/current/Security.stx#3-111


      When you visit an executable object by going to its URL or
      calling it from DTML or a script, Zope runs the object's
      script. The script is restricted by the roles of the object's
      owner and your roles. In other words an executable object can
      only perform actions that *both* the owner and the viewer are
      authorized for. This keeps an unprivileged user from writing a
      harmful script and then tricking a powerful user into executing
      the script. You can't fool someone else into performing an
      action that you are not authorized to perform yourself. This is
      how Zope uses ownership to protect against server-side
      Trojan horse attacks.

        % Anonymous User - Oct. 15, 2002 6:10 am:
         (see also http://www.zope.org/Documentation/Books/ZopeBook/current/Security.stx#3-32)
         If the executable object /view.py is applied on the object /data/a_file
         by calling http://site/data/a_file/view.py
         then it can only perform actions that 
          [the owner of /view.py is authorized to perform on /data/a_file ]
          [ [the viewer is authorized to perform on /data/a_file ]
            OR [ /view.py has proxy-roles that authorize on /data/a_file ]]
         Is this right?